How to set up two-factor authentication with OTP on FreeBSD?

Question

I have a FreeBSD server that I like to be able to get to from anywhere. Normally I use SSH publickey to log in, or if I don't have my SSH private key available then I might use regular password over SSH. However, when logging in from an untrusted machine there's always the risk of a keylogger capturing my login password as I type it.

FreeBSD already has support for OPIE which is a one-time password scheme. This works great, but the one-time password is the only authentication needed. If I print out a list of one-time passwords to use later, then if I lose that list then that's all somebody needs.

I'd like to set up the authentication so that I need a one-time password plus something I know (a password, except not my usual login password). I have a feeling the answer has something to do with PAM (and /etc/pam.d/sshd) but I'm not certain on the details.

How can I set up authentication where two methods are required?

If you lost the list of OTPs, wouldn't you know this and change your opie password? — Chris S, Aug 26 '10 at 20:33
@Chris S: that assumes you can log in to the server from wherever you are without having your OTP list. — Greg Hewgill, Aug 26 '10 at 20:45
Considering OPIE hasn't been updated in almost 16 years, I'm sure it was an oversight at the time; I don't know of a way to do what you're asking, but it definitely sounds like a really good idea that should be implemented. My smart@ss answer to being able to login from almost everywhere: consider getting a smart phone with PocketPutty or a similar app. — Chris S, Aug 26 '10 at 20:55

score 1 · Answer 1 · answered Jan 29 '14 at 16:02

1

google authenticator maybe? I have my OpenSolaris box asking first for normal login password, then the TOTP verification code. Something like this: http://www.marzocchi.net/Olafsen/Software/Two-FactorAuthentication

answered Jan 29 '14 at 16:02

user207351

11
1

Again, missing the requirement that the normal login password *not* be used as the password element. – MadHatter Apr 17 '16 at 07:05

score 0 · Answer 2 · answered Sep 10 '10 at 03:53

0

To do this you have to stack the normal ’ssh_auth’ module with the ‘pam_opie‘ module using the ‘required‘ control flag.

answered Sep 10 '10 at 03:53

Martin

809
4
6

1

That would expose his actual password; the question specifically said "except not my usual login password" – Chris S Sep 10 '10 at 03:59
Ah, I missed that! Then he needs a pam module which uses a static second password with ssh-kbdint. Unfortunately I don't know of anyone who has written such a module, but it isn't very hard as you can use ssh_auth and modify it to use another password file. – Martin Sep 11 '10 at 04:52

How to set up two-factor authentication with OTP on FreeBSD?

2 Answers2